Blue Coat Labs

Labs Blog

Hacked Wordpress Sites Lead to Exkits, CryptoWall

Hacked Wordpress Sites Lead to Exkits, CryptoWall

Chris Larsen

Because ransomware attacks are so disruptive and damaging, we make tracking them a priority. "CryptoWall" is one of the attacks we're tracking, and I wanted to highlight one aspect of the network that's distributing it: they're hacking sites running Wordpress left and right.

In a representative attack chain from earlier this week, note the heavy use of hacked sites, which all seem to be running Wordpress:

  • hicentral.com is a real estate site in Hawaii:

hacked real estate site

  • rlyw.net is a sports blog, covering the New York Yankees:

hacked sports blog

Both are running Wordpress, and both are hacked. Their traffic looks like it's coming from Google and Bing, but I haven't seen any evidence that the Bad Guys are actively doing Search Engine Poisoning (SEP) to artificially boost these sites in the search result rankings -- they appeat to just be taking advantage of normal traffic.

 

These sites are sending visitors' browsers off to a page on another hacked site, lunchesforlife.org, a charity site:

hacked charity site

The page on lunchesforlife (which runs Wordpress, naturally), contains an injected iFrame that looks like this:

injected iFrame

Note that ghlu.org is also running WordPress, and that the iFrame is sized like a typical advertising banner, but it is placed well off-screen, so it isn't visible.

It sends the browser off on a safari (sorry) to the innocent-but-hacked religious site:

hacked religious site

(I keep warning about the lions that are waiting to eat the Foolish Zebras in the herd. In this case, it's somewhat literal...)

 

There are other vectors at work, besides the search engine avenue mentioned above:

  • a similar iFrame is showing up on a shady site on a Russian host (eurodir.ru)
  • ghlu.org is also being fed by a malvertising site (adv-inc-net.com)
  • another of the involved sites, vellejaresearch.com, is also involved in what looks like traffic from a different evil network (I just flagged this network in our system, since I didn't have time to drill deeper; so much malware, so little time...)
  • other malvertising feeders into the network include webspado.ru and solocpm.com

So it's a tangled web, but eventually, the victim's browser encounters a large attack page (on another hacked Wordpress site) that consists almost entirely (99.5%) of obfuscated Javascript, the specifics of which change frequently. Our analysts' notes are pretty consistent in identifying this as part of the attack as the "Goon" or "Infinity" exploit kit.

--C.L.

Share this: